[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1053098: unadf 0.7.11a-5 calls system() with unsanitized input

Hi,

On Wed, Sep 27, 2023 at 01:19:31PM +0300, Jani Nikula wrote:
> Package: unadf
> Version: 0.7.11a-5
> Severity: grave
> Tags: security
> Justification: user security hole
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> 
> Dear Maintainer,
> 
> See upstream ADFLib commit 8e973d7b8945 ("Fix unsafe extraction by using
> mkdir() instead of shell command") [1].
> 
> 'unadf' passes the directory names within an ADF to system()
> unsanitized. In the most benign failure case, directory names beginning
> with '-' are interpreted as options to mkdir, and unpacking the ADF
> fails.
> 
> Please update unadf to fixed upstream version.
> 
> [1] https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd

Those are CVE-2016-1243 and CVE-2016-1244 and it looks that the
unstable upload back then, which was aiming to fix the issue,
0.7.11a-4, did not include the patch and so the issue remained unfixed
for all subsequent releases.

I'm merging this back to 838248 and updating the metadata.

Regards,
Salvatore
Reply to: